LockBit Claims 5TB Data Theft in Ransomware Attack on Foxsemicon
Foxsemicon Integrated Technology Inc. (FITI), a Taiwanese semiconductor parts manufacturer affiliated with Hon Hai Technology Group, said it was hit by a ransomware attack that defaced its website and displayed a threat to leak allegedly stolen data. The attackers, identified in reporting as the LockBit ransomware gang, claimed they had stolen and encrypted 5TB of company data, including customer and employee personal information, and warned they would publish it on a darknet leak site if a ransom was not paid.
Foxsemicon told the Taiwan Stock Exchange it restored its website the same day it detected the incident, brought in security experts, and did not expect a significant impact on operations. The company did not disclose any ransom demand and had not confirmed whether customer or employee data was actually exfiltrated, while parts of its website reportedly remained inaccessible and search results continued to show the attackers' message. The incident stood out because website defacement is considered unusual for LockBit, which more commonly pressures victims through its extortion portal.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
LockBit linked to Foxsemicon ransomware incident in media reporting
Subsequent reporting attributed the Foxsemicon attack to the LockBit ransomware gang, noting that the website defacement was unusual for the group. Reports also said parts of the site remained inaccessible and search results still displayed the attackers' message.
Foxsemicon restores website and notifies Taiwan Stock Exchange
Foxsemicon said it restored its website the same afternoon after detecting the attack, engaged external security experts, and reported to the Taiwan Stock Exchange that the incident was not expected to significantly affect operations. The company did not disclose the ransom demand or confirm any actual data leak.
Foxsemicon detects ransomware attack and website defacement
Foxsemicon Integrated Technology Inc. detected a ransomware incident in which its website was defaced with a ransom note. The attackers claimed they had stolen and encrypted 5 TB of data, including customer and employee information, and threatened to leak it if a ransom was not paid.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Nitrogen Claims Foxconn Wisconsin Breach Exposed 8TB of AI Manufacturing Data
Foxconn said operational IT issues disrupted its Mount Pleasant, Wisconsin campus, where workers reported a broad network outage affecting Wi‑Fi, core infrastructure, and timekeeping systems as production was gradually restored. The **Nitrogen** ransomware group later claimed responsibility on its extortion site, alleging it stole **8TB** of data spanning more than **11 million files** from the Racine County facility, including assembly instructions, hardware schematics, and data center topology diagrams tied to customers such as **Apple, Intel, Google, NVIDIA, and Dell**. Foxconn has not verified the authenticity of the leaked samples or disclosed any ransom demand, and reports said the incident may also have affected a Foxconn site in Houston. The claimed breach adds to a pattern of ransomware incidents affecting Foxconn manufacturing operations. In 2022, Foxconn confirmed a ransomware attack at its **Tijuana, Mexico** plant that disrupted production and was claimed by **LockBit**, with the company saying recovery was underway and overall business impact would be limited. That attack followed a 2020 intrusion at Foxconn’s **Ciudad Juárez** facility attributed to **DoppelPaymer**, underscoring repeated targeting of the company’s production sites and raising renewed supply-chain and industrial espionage concerns around its AI server and electronics manufacturing operations.
May 25, 2026
LockBit 5.0 Infrastructure Exposure and Post-Takedown Activity
LockBit 5.0, a major ransomware-as-a-service operation, recently attempted to reestablish its presence by launching a new 'secure' blog domain with claims of enhanced protection against law enforcement. However, security researchers quickly identified and publicly exposed the IP address and domain (`karma0[.]xyz`, IP: `205.185.116.233`), revealing multiple open ports and vulnerable remote access, which left the infrastructure susceptible to disruption. Further analysis showed that LockBit was recycling old victim data on its leak site, with several entries originating from previous leaks or other ransomware groups, highlighting operational security failures and attempts to maintain the appearance of ongoing activity. This exposure comes in the wake of a significant international law enforcement operation (Operation Cronos) that disrupted LockBit's infrastructure, compromised its administration panel, and led to the public release of affiliate and victim data. Despite these setbacks and reputational damage, LockBit has demonstrated resilience, attempting to reassert itself by reusing old data and launching new infrastructure, though these efforts have been undermined by continued security lapses. Defenders are advised to block the exposed IP and domain and monitor for further developments as the group persists in its operations.
Mar 21, 2026
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
Mar 21, 2026